Add tracker rate limiter

server.ts

@@ -10,13 +10,8 @@ if (isTestInstance()) {
 // ----------- Node modules -----------
 import * as bodyParser from 'body-parser'
 import * as express from 'express'
-import * as http from 'http'
 import * as morgan from 'morgan'
-import * as bitTorrentTracker from 'bittorrent-tracker'
 import * as cors from 'cors'
-import { Server as WebSocketServer } from 'ws'
-
-const TrackerServer = bitTorrentTracker.Server
 
 process.title = 'peertube'
 
@@ -75,7 +70,9 @@ import {
   feedsRouter,
   staticRouter,
   servicesRouter,
-  webfingerRouter
+  webfingerRouter,
+  trackerRouter,
+  createWebsocketServer
 } from './server/controllers'
 import { Redis } from './server/lib/redis'
 import { BadActorFollowScheduler } from './server/lib/schedulers/bad-actor-follow-scheduler'
@@ -116,33 +113,6 @@ app.use(bodyParser.json({
   limit: '500kb'
 }))
 
-// ----------- Tracker -----------
-
-const trackerServer = new TrackerServer({
-  http: false,
-  udp: false,
-  ws: false,
-  dht: false
-})
-
-trackerServer.on('error', function (err) {
-  logger.error('Error in websocket tracker.', err)
-})
-
-trackerServer.on('warning', function (err) {
-  logger.error('Warning in websocket tracker.', err)
-})
-
-const server = http.createServer(app)
-const wss = new WebSocketServer({ server: server, path: '/tracker/socket' })
-wss.on('connection', function (ws) {
-  trackerServer.onWebSocketConnection(ws)
-})
-
-const onHttpRequest = trackerServer.onHttpRequest.bind(trackerServer)
-app.get('/tracker/announce', (req, res) => onHttpRequest(req, res, { action: 'announce' }))
-app.get('/tracker/scrape', (req, res) => onHttpRequest(req, res, { action: 'scrape' }))
-
 // ----------- Views, routes and static files -----------
 
 // API
@@ -155,6 +125,7 @@ app.use('/services', servicesRouter)
 app.use('/', activityPubRouter)
 app.use('/', feedsRouter)
 app.use('/', webfingerRouter)
+app.use('/', trackerRouter)
 
 // Static files
 app.use('/', staticRouter)
@@ -181,6 +152,8 @@ app.use(function (err, req, res, next) {
   return res.status(err.status || 500).end()
 })
 
+const server = createWebsocketServer(app)
+
 // ----------- Run -----------
 
 async function startApplication () {

server/controllers/index.ts

@@ -5,3 +5,4 @@ export * from './feeds'
 export * from './services'
 export * from './static'
 export * from './webfinger'
+export * from './tracker'

server/controllers/tracker.ts

@@ -0,0 +1,91 @@
+import { logger } from '../helpers/logger'
+import * as express from 'express'
+import * as http from 'http'
+import * as bitTorrentTracker from 'bittorrent-tracker'
+import * as proxyAddr from 'proxy-addr'
+import { Server as WebSocketServer } from 'ws'
+import { CONFIG, TRACKER_RATE_LIMITS } from '../initializers/constants'
+
+const TrackerServer = bitTorrentTracker.Server
+
+const trackerRouter = express.Router()
+
+let peersIps = {}
+let peersIpInfoHash = {}
+runPeersChecker()
+
+const trackerServer = new TrackerServer({
+  http: false,
+  udp: false,
+  ws: false,
+  dht: false,
+  filter: function (infoHash, params, cb) {
+    let ip: string
+
+    if (params.type === 'ws') {
+      ip = params.socket.ip
+    } else {
+      ip = params.httpReq.ip
+    }
+
+    const key = ip + '-' + infoHash
+
+    peersIps[ip] = peersIps[ip] ? peersIps[ip] + 1 : 1
+    peersIpInfoHash[key] = peersIpInfoHash[key] ? peersIpInfoHash[key] + 1 : 1
+
+    if (peersIpInfoHash[key] > TRACKER_RATE_LIMITS.ANNOUNCES_PER_IP_PER_INFOHASH) {
+      return cb(new Error(`Too many requests (${peersIpInfoHash[ key ]} of ip ${ip} for torrent ${infoHash}`))
+    }
+
+    return cb()
+  }
+})
+
+trackerServer.on('error', function (err) {
+  logger.error('Error in tracker.', { err })
+})
+
+trackerServer.on('warning', function (err) {
+  logger.warn('Warning in tracker.', { err })
+})
+
+const onHttpRequest = trackerServer.onHttpRequest.bind(trackerServer)
+trackerRouter.get('/tracker/announce', (req, res) => onHttpRequest(req, res, { action: 'announce' }))
+trackerRouter.get('/tracker/scrape', (req, res) => onHttpRequest(req, res, { action: 'scrape' }))
+
+function createWebsocketServer (app: express.Application) {
+  const server = http.createServer(app)
+  const wss = new WebSocketServer({ server: server, path: '/tracker/socket' })
+  wss.on('connection', function (ws, req) {
+    const ip = proxyAddr(req, CONFIG.TRUST_PROXY)
+    ws['ip'] = ip
+
+    trackerServer.onWebSocketConnection(ws)
+  })
+
+  return server
+}
+
+// ---------------------------------------------------------------------------
+
+export {
+  trackerRouter,
+  createWebsocketServer
+}
+
+// ---------------------------------------------------------------------------
+
+function runPeersChecker () {
+  setInterval(() => {
+    logger.debug('Checking peers.')
+
+    for (const ip of Object.keys(peersIpInfoHash)) {
+      if (peersIps[ip] > TRACKER_RATE_LIMITS.ANNOUNCES_PER_IP) {
+        logger.warn('Peer %s made abnormal requests (%d).', ip, peersIps[ip])
+      }
+    }
+
+    peersIpInfoHash = {}
+    peersIps = {}
+  }, TRACKER_RATE_LIMITS.INTERVAL)
+}

server/initializers/constants.ts

@@ -450,6 +450,14 @@ const FEEDS = {
 
 // ---------------------------------------------------------------------------
 
+const TRACKER_RATE_LIMITS = {
+  INTERVAL: 60000 * 5, // 5 minutes
+  ANNOUNCES_PER_IP_PER_INFOHASH: 10, // maximum announces per torrent in the interval
+  ANNOUNCES_PER_IP: 30 // maximum announces for all our torrents in the interval
+}
+
+// ---------------------------------------------------------------------------
+
 // Special constants for a test instance
 if (isTestInstance() === true) {
   ACTOR_FOLLOW_SCORE.BASE = 20
@@ -482,6 +490,7 @@ export {
   AVATARS_SIZE,
   ACCEPT_HEADERS,
   BCRYPT_SALT_SIZE,
+  TRACKER_RATE_LIMITS,
   CACHE,
   CONFIG,
   CONSTRAINTS_FIELDS,